IDS mailing list archives
Gartner comments (was Re: Rather funny; looks like page defacement to me)
From: Randy Taylor <gnu () charm net>
Date: Tue, 17 Jun 2003 13:28:01 -0400
At 11:29 AM 6/13/2003 -0400, Anton Chuvakin wrote:
All, This link posted on the snort site. I figured I'd send it to the list, since its a fascinating read. http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp
<snipped> My two cents or less, depending on your point of view. ;) I'll stick with the Gartner web page text. "False positives and negatives" All IDS systems produce falses. In fact, all network security devices can false, not just IDS. I've seen many AV falses while it monitors my inbox. "An increased burden on the IS organization by requiring full-time monitoring (24 hours a day, seven days a week, 365 days a year)" This requirement isn't restricted to IDS. It also applies to firewalls. All of the enterprise-level customers I work with had 24x7x365 firewall monitoring long before they deployed their first IDS. Sorry Gartner, you really missed the boat on this one. "A taxing incident-response process" Reading into this somewhat, it sounds like Gartner is angling toward the "set and forget", or "zero-admin" pitch. Ain't gonna happen - ever. Nor should it. Humans must always be in the security process loop. There are numerous guides out there for developing and/or improving incident response processes. And again, IR applies to all security devices, not just IDS. How much IR had to be done as the result of the "I love you" stuff? And that was AV IR, not IDS. And because humans must be in the loop, they must be trained and trained well. Sorry business - cough up the bucks and get it done. If there's any lesson from 9/11 it's that one can't afford not to protect anything - from the parking lot to the network head-end. I would like to think no company in its right mind would rely on totally automated physical security. Think of the risks there. Network security is no different. "An inability to monitor traffic at transmission rates greater than 600 megabits per second" True right now for IDS that operates purely as software relying on generic hardware platforms and a supporting third-party OS. False right now for IDS that are embedded in hardware/firmware. One has to wonder if Gartner looked at OSEC testing results on the Neohapsis site ? One also has to ask how much of a market is there for speeds above OC-48? In a conversation with a friend of mine a couple of weeks ago, I offered the enterprise-side position of "we have to monitor an OC-192 pipe" as a baseline. My friend countered with the position that there's a lot more 100Base-TX lines out there than fiber. My friend was right. Installed base as a market driver trumps "faster is better" every time. One also has to look at what's going to happen to a fat fiber pipe when it hits the head-end. It gets split into smaller pipes - heh - just like copper pipes. So that OC-192 gets stepped down to several OC-18's or OC-12's. How far away from 600 Mbps is an OC-12? 22.080 MHz. By the time you strip out the overhead rate, OC-12 payload rate is 601.344 MHz. Will pure software IDS always be unable to operate above 600 Mbps? No. Is embedded IDS better simply because of it's ability to handle higher speeds? No. It's a cost/benefit analysis, a features/performance analysis, etc. Will everyone have fiber to the desktop by '05? Your guess is as good as mine, but I would be willing to bet software IDS will be able to handle OC-18 or OC-24 by then. "Gartner recommends that enterprises redirect the money they would have spent on IDS toward defense applications such as those offered by thought-leading firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product. Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled," said Richard Stiennon, research vice president for Gartner. "Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities." Here I think Gartner is on the correct path, at least in part. QuotingBill Royds in an earlier post, "...an IPS is really a firewall with dynamically
generated rule set." Unfortunately, the supporting evidence for Gartner's statement that IPS has stalled is missing. Wanting to call IPS an integration of IDS into a firewall or an integration of a firewall into an IDS is so much semantics and depends on the vendor doing the market spin. For instance, Checkpoint might call it an integration of IDS into its firewall, while IntruVert might call it an integration of firewall capabilities into its IDS. It sounds to me like the message spun by firewall vendors stuck with Gartner while the message spun by IPS vendors didn't. IDS is no longer in its infancy - late adolescence perhaps - but neither infancy nor adulthood. Firewalls have been around for a longer period of time, so perhaps they are perceived by Gartner as more mature. But firewalls are relatively simple systems compared to IDS. In my opinion, IPS - whether firewall+IDS or IDS+firewall, is a worthwhile path going forward. The trick to success will be the capability to very accurately detect an incident. Do that with a very low false rate and reliable response is possible. But I'd be willing to bet the device making those decisions will require tuning and trained staff to monitor it, maintain it, and respond to incidents. ;) Finally, Gartner itself is a vendor, selling its product, too. Because of that, it is itself a hype machine and should include itself in its own "Information Security Hype Cycle". And to get to the meat of their "Hype Cycle" papers, guess what? You gotta pay for it. All in all, Gartner's text is just another case of a vendor "hollering the loud, funny words". "..sound and fury, signifying nothing" may also apply here as well, but the really sad part is that a lot of companies treat Gartner as gospel. Best regards, Randy ----- "Nor does it do anything to make lemons bigger or encourage owls to explode." --- MartinG on /. --- -------------------------------------------------------------------------------Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Current thread:
- Rather funny; looks like page defacement to me Anton Chuvakin (Jun 13)
- Re: Rather funny; looks like page defacement to me adam (Jun 14)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Remko Lodder (Jun 18)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 18)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Remko Lodder (Jun 18)
- Re: Rather funny; looks like page defacement to me Jerry M. Howell II (Jun 14)
- Re: Rather funny; looks like page defacement to me Michael Sierchio (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me George W. Capehart (Jun 17)
- Gartner comments (was Re: Rather funny; looks like page defacement to me) Randy Taylor (Jun 17)
- <Possible follow-ups>
- Re: Rather funny; looks like page defacement to me broyds (Jun 14)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Jim Butterworth (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Angel Rivera (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me adam (Jun 14)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 18)